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CLAIM AMENDMENTS 

This listing of claims will replace all prior versions and listings of claims in the application. 
Listing of Claims 

1 . (Currently Amended) A method of tracking-back a malicious data packet in a 
connection-oriented communication network, comprising the steps of; 

a) for a given time window {Time Period), computing a unique flow identifier 
{Flowld) for each packet of a given flow seen by a router interface {Incoming 

Link) at a network node; 

b) inserting said Flowld into a data structure associated to said Time Period and said 
incoming Link, available at said network node; 

c) storing said data structure in a searchable re pository; an d renositorv: 

d) repeating steps a) to c) for a next Time Period and for each Incoming link 
at said network nodo. nodg; 

6l determining the time of arrival X of said malicious packet at said network node and 

computing Flowld for said malicious packet: and 

f> identifying said Incoming Link fo r said malicious packet by searching for the Flowld of 

said malicious packet in all dat a structures for said network node that cover the time of arrival X. 

2. (Cancelled) 
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| 3. (Currently Amended) The method o f cluim - 3_ claim 1, further comprising tracing-back 

hop by hop the source of said single packet from said router, by performing steps e) and f) for 

each network node along the path of said malicious packet. 

4. (Original) The method of claim 1, wherein step a) is based on flow definition adopted for 
said network. 

5. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more header fields of each packet received in said flow. 

6. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more header fields of each packet received in said flow and an incoming 
interface identification parameter. 

7. (Original) The method of claim 1 , wherein step a) comprises applying a specified 
function to one or more characteristics of each packet. 

8. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more characteristics of each packet received in said flow and an incoming 
interface identification parameter. 



3 - 



PAGE 5/11 1 RCVO AT 3/2712007 4:03:06 PM [Eastern Daylight Time] ' SVR:USPT0-EFXRF-2/1 5 * DNIS:2738300 * CSID:703 5199802 * DURATION (mm-ss):02-54 



MflR-27-2007' 15=03 



KRAMER 8, AM ADO, P.C. 



703 5199802 P. 



Application No: 10/730,926 
Attorney's Docket No: ALC 3 106 

9. (Original) The method of claim 1, wherein said data structure is a hash table based on a 
Bloom filter. 

10. (Original) The method of claim 1 , wherein said searchable repository is maintained for 
each router interface at said network node. 

1 1 . (Original) The method of claim 10, wherein said searchable repository stores all said 
data structures for all router interfaces at said network node. 

12. (Original) The method of claim 1, wherein said searchable database is a centralized 
searchable repository maintained for said network. 

13. (Currently Amended) A method of tracking-back a malicious data packet in a 
connection-oriented communication network, comprising the steps of: 

a) for a given time window (Time Period), computing a flow identifier (Flowld) for a 
flow seen by a router interface {Incoming Link) at a network node based on a flow 
characterization parameter obtained from a flow management system; 

b) inserting said Flowld into a data structure, associated to said Time Period 
and said Incoming Link, available at said network node; 

c) storing said data structure in a database that is a centralized searchable repository: 
^repository: 

-4- 
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d) repeating steps a) to c) for a next Time Period and for each Incoming link at said 

network sede riiode; and 

g) finding in said searchable repository the Incoming Link for said malicious packet based 

on a Flowld and a time of arrival X of said malicious packet. 

14. (Currently Amended) A system for tracking-back a malicious data packet in a 
connection-oriented communication, comprising: 

means for computing a unique flow identifier Flowld for each packet of a 
flow seen by a router interface (Incoming Link) at a network node over a given 
period of time (Time Period); 

means for inserting said Flowld into a data structure associated to said 
Time Period, and said Incoming Link available for said network node; 

a database that is a ce ntralized searchable repository for storing said data structure; and 

a search engine for finding in said searchable repository the Incoming Link 
for said malicious packet based on a Flowld and a time of arrival X of said malicious packet. 

1 5. (Original) The system of claim 14 further comprising a flow-based monitoring system 
for tracking back hop-by-hop the source of said malicious packet, 

16. (Original) The system of claim 14, wherein one said searchable repository is maintained 
for each interface at said network node. 

-5- 
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1 7. (Original) The system of claim 14, wherein one said searchable repository is maintained 
for said network node. 

18. (Original) The system of claim 14, wherein said searchable repository is a centralized 
database maintained' for said network. 

19. (Original) The system of claim 14, further comprising a flow based monitoring system 
for providing a flow characterization parameter to said means for calculating. 

20. (Original) The system of claim 14 further comprising a flow management system for 
generating a flow characterization parameter. 

21. (Original) The system of claim 20, wherein said means for computing is a Flowld 
calculator for computing said Flowld form one or more of packet header fields, packet 
characterization parameters and interface identification information, 

22. (Original) The system of claim 20, wherein said means for computing is a Flowld 
calculator for computing said Flowld form packet header information. 
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